Exchange Setup First Steps - Validate Server, Get Domain and Exchange-specific information
In the first article part we introduced a figure showing the internal process taking place before starting the Cluster installation. We will continue discussing this figure further, so here is it again:
FIGURE A - Exchange Setup Internal Process Before Starting Cluster Installation.
As shown in figure A the Exchange Setup performs many tasks. It executes many functions to check the computer and Active Directory status.
Before it proceeds to check anything, it calls its first procedure called ScAutoDetectDirectoryLocations. The purpose of this function is to identify the Active Directory location. This function must be executed to get the list of domains and their controllers. If it cannot find any domain the setup will fail. This information is required by the Exchange Setup to update the schema and query the domains for some setup-specific information.
The Exchange Setup checks to make sure the server computer is a domain member by calling ScIsComputerMemberOfDomain. The Sc prefix stands for Setup Check. This procedure executes a function called NetGetJoinInformation. This is executed against the domain to get the status of the server computer on which Exchange is to be installed. The query returns the value of NETSETUP_JOIN_STATUS along with the domain name. The value could be one of the following:
NETSETUP_JOIN_STATUS = 1 - Domain Controller
NETSETUP_JOIN_STATUS = 2 - Not-Joined or Stand-Alone Server
NETSETUP_JOIN_STATUS = 3 - Member Server
The Setup will return 3 if the computer is a domain member.
Troubleshooting Tips
If you think the server is a domain member and Exchange Setup still fails, then check the value of NETSETUP_JOIN_STATUS at the Exchange Server Setup Progress.log file as shown in the figure below:
FIGURE A.3 - Domain Join Status Value Returned by the Exchange Setup.
The setup leaves the domain join procedure after it confirms the server is a domain member reporting a generic message in the Exchange Setup Log file. The message says "The computer is a member of a domain" as shown in the figure above.
***
Next we get to the call to CDirectoryManager procedure. This is the main procedure for the Exchange Setup and is called many times throughout the setup process. It contains a set of functions to be executed against the domain to get the computer site name, the domain name, the Schema Master FSMO role, Configuration Naming Partition and other domain information. The function which is responsible to get this information is DsRoleGetPrimaryDomainInformation as shown in the figure A.
Setup automatically finds the schema master FSMO role and the Configuration Naming partitions by querying the domain.
FIGURE A.4 - Getting Domain Information
From the last figure, we can see how setup finds all the domain related information. It also finds the Configuration Naming Partition which is stored in strConfigNC to be used by the Setup later.
From here we also see that the setup found the Schema Master FSMO role and the domain in which the schema master currently resides.
You should always make sure that the server is a domain member. Otherwise the Exchange Setup will fail to retrieve this information. Please note that the Exchange Setup doesn't perform any operation on the secure channel between member computer and the domain. It just checks the server status by executing the above mentioned function and returns the value in Exchange Setup log file.
Troubleshooting Tips
Make sure the server is the member of the domain.
Make sure the secure channel is not broken between the member server and the domain. You can use NETDOM or NLTEST utility to query and reset the secure channel.
Make sure the Schema Master is alive before you run the Exchange Setup. You should always check the Exchange Log file and find the Schema Master status as shown in the figure above.
***
Next function of CDirectoryManager is ScDeterminePermissionLevel. This function returns the permissions you currently have to update the schema and domain naming partition. This is a very critical function for the Exchange Setup. The function checks the permissions on the following NCs in the Active Directory Domain:
/dc=com/dc=domainname/cn=Configuration/cn=Services
Read, Write, SetPermissions
/dc=com/dc=domainname/cn=Configuration/cn=Schema
Update Schema (Read, Write)
/dc=com/dc=domainname
Read, Write
The Setup checks whether we have the necessary permissions for updating these NCs. It executes the above function against the NC as shown in the figure below. The currently logged on user must have at least the above permissions for Exchange Setup to work correctly. These permissions should be verified at the beginning before Setup starts to update the schema or other NCs.
FIGURE A.5 - Permissions required by the Exchange Setup to update Active Directory
As shown, the function CDirectoryManager executes the ScDeterminePermissionLevel function and returns the available permissions on the Active Directory NCs.
Troubleshooting Tips
If Exchange Setup fails, make sure you have the required permission levels on the NCs in Active Directory. This is required by the setup when you update the schema and other NCs as mentioned above. It is not necessary to have Schema Administrator rights to update the schema. You should have the above mentioned permissions on the Root of each NC.
***
Both Exchange 2003 and Exchange 2007 return a value for the Final Set of Permissions. The Final Permissions Set value was shown earlier in the main figure A and is also shown in the Exchange Server Setup Progress.log file below. This value is 0XF0C0E0E0 and is returned when Exchange Setup has full permissions on all the NCs in Active Directory. In Exchange Server Setup Progress.log file, the value is shown here:
FIGURE A.6 - File Set of Permissions in the Log file
After setup has detected that it has permissions on all the required NCs, it just leaves the CDirectoryManager procedure and executes ScGetSchemaVersion and ScGetCountOfOrgsInDomain. The main purposes of these two functions are:
ScGetSchemaVersion
This function gets the current version of the exchange attribute in the forest. The attribute which is responsible to store the version information is ms-Exch-Schema-Version-Pt. This attribute is located at the following location in the NC:
/dc=com/dc=domainname/cn=Configuration/cn=Schema
Please note the setup must determine the current schema version for Exchange. If it finds that the schema is incompatible with Exchange, it runs the PrepareForest or ForestPrep when you run the Exchange Server Setup. This process is explained further in the next article section.
ScGetCountOfOrgsInDomain
This function is responsible to check if there is any existing Exchange Organization in Active Directory. If you already have an Exchange Organization, the function determines Organization name by querying the following CN:
/dc=com/dc=domainname/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=Exchange_ORG_Name
OR using ADSIEdit.msc:
FIGURE A.7 -Exchange Organization Name retrieved by ScGetCountOfOrgsInDomain
If setup detects that an Exchange Organization already exists in Active Directory, it verifies the permissions on the Organization and Administrative Group by querying the following CNs:
For Organization:
ExchOrg_Write
ExchOrg_SetPerms
ExchAG_Write
ExchAG_SetPerms
/dc=com/dc=domainname/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=Exchange_ORG_Name
For Administrative Group:
ExchOrg_Read
/dc=com/dc=domainname/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=Exchange_ORG_Name/cn=Administrative Groups
You can also see the above CNs and their permissions in the Exchange Server Setup Progress Log File:
FIGURE A.8 - Checking Existing Exchange Organization and Verifying Permissions
After verifying the existing Exchange organization, setup looks for the server object. The server object is the computer where we are going to install Exchange. The log file says that it couldn't find any server object.
Troubleshooting Tips
If you have already extended the schema using Exchange Setup and the Exchange setup is not able to create the Server object in the existing Exchange Organization then check the Exchange permissions on the CNs mentioned above.
***
After setup has detected that it has enough permission it enters into installation mode as shown below.
FIGURE A.9 - Exchange Setup entering into Installation Mode
The idsSetupMode is set to "Install", indicating that we are performing an install operation. This would be set to "Remove" in case we were removing the Exchange Server.
Conclusion
In the last part of the Setup Work - Before Cluster Installation section, we explained the functions which are executed by the Exchange Setup to get the information from the Active Directory domain. We saw how these functions are important for the Exchange Setup to use them during the installation. This part also explained the permissions required by the Exchange Setup before it can update the Active Directory Schema and their corresponding entries in the Exchange Setup Log files for troubleshooting purpose. Finally we saw how the Exchange Setup uses the CDirectoryManager procedure many times during the installation to execute the functions defined within it.
In the next article part we will focus on the Exchange Cluster Installation process starting the second section of this article series.